Over the last quarter, we released a number of new features and updates for the Enclave deployment platform. We also began helping customers deployed on AWS to manage their organization’s security and compliance using Gridiron.

Yesterday, on a brief webinar, our team reviewed the updates to the Enclave platform and showed how Gridiron helps software developers build and maintain strong security management programs.

In case you missed it, you can download the slide deck and get the transcript in our resources section, or watch the full event below. We also provide a quick recap in this blog post.

New for Enclave

We intend for Enclave to be the best platform for developers to deploy regulated and sensitive software products. This quarter, we focused on improving Enclave in three ways: security and compliance, database self-service, and general usability improvements.

Security and Compliance

We launched new ways to secure apps and meet compliance goals while improving the security of Enclave itself.

Gridiron

Gridiron is our suite of tools that helps developers build and maintain strong security management programs. Gridiron makes the administrative side of protecting data easy and helps to prepare you for regulatory audits as well as customer security reviews.

In the webinar, we gave a short talk-through of how Gridiron approaches security management. This starts with the Gridiron Data Model: an API that integrates data from your business, our experience working with hundreds of customers in securing sensitive data, and industry-wide security standards provided through NIST Guidance, vulnerability and attack databases and shared intel.

Gridiron ingests data about your business through a series of straightforward and relevant questions that are easy to answer but have important implications for your internal security program.

Gridiron uses that data to create deliverables that help you show security and compliance as well as improve your business operations.

Getting started with Gridiron

If you’d like to improve your organization’s security and compliance and simplify the process for working through customer security reviews and regulatory audits, please get in touch. For a limited time we’re offering early access pricing for customers who have deployed on AWS.

Register Now for July 2017 Aptible Product Update Webinar

Our next product update webinar will be hosted on July 25, 2017 at 11am Pacific / 2pm Eastern.

No, not by virtue of using Aptible. Aptible does not use Cloudflare, and as such, our services and customer environments were not affected by the Cloudbleed vulnerability disclosed yesterday.

That said, if you use or used Cloudflare, you may be affected. You can read Cloudflare’s official description of Cloudbleed here.

If I used Cloudflare to cache PHI, what should I do?

Activate your incident response plan and talk to your lawyer immediately, unfortunately. You may be required to conduct mitigation, and breach and/or security incident notifications, by HIPAA or your business associate contracts.

Cloudbleed is one issue. Another issue is that if you were using Cloudflare to cache PHI though their CDN without a BAA, you may have been in breach of the HIPAA rules before this.

Some have suggested that Cloudflare might not be a HIPAA business associate because of an exception to the definition of business associate known as the “conduit” exception. Cloudflare is almost certainly not a conduit. HHS’s recent guidance on cloud computing takes a very narrow view:

The conduit exception applies where the only services provided to a covered entity or business associate customer are for transmission of ePHI that do not involve any storage of the information other than on a temporary basis incident to the transmission service.

OCR hasn’t clarified what “temporary” means or whether a CDN would qualify, but again, almost certainly not, as data storage is a critical, non-incidental component of CDN functionality.

What if I used Cloudflare to cache PII?

Again, activate your incident response plan and talk to your lawyer. HIPAA is just one of many data privacy regulations. Many states require companies to report breaches of personally identifiable information belonging to residents of that state.

What if I used Cloudflare for data aside from PHI or PII?

We encourage you to be safe and rotate all credentials that might have passed through Cloudflare from your app, such as session cookies, API keys, and user passwords.

What else should I do?

We encourage you to rotate your passwords for any service that used Cloudflare between September 22, 2016, and February 18, 2017. Cloudflare has not released a list of services affected. You can find one security researcher’s list of Cloudflare DNS customers (which is likely overinclusive) here.

February 22, 2017IP Filtering Made Easy With Enclave EndpointsLock down network access to your apps in a handful of clicks.Read more

February 14, 2017Logentries and Sumo Logic setup now a breezeAptible Log Drains now provide more flexible configuration, making it much easier to forward your Aptible logs to Logentries and Sumo LogicRead more

February 14, 2017ALB Endpoints Now Support SSL_PROTOCOLS_OVERRIDESatisfy regulatory requirements by disabling older versions of TLS.Read more

February 14, 2017Database Encryption now defaults to AES-256Aptible databases (and their backups) now default to AES-256 disk encryption.Read more